The National Federation of Independent Business and Visa USA have teamed up to promote fraud prevention and help educate Sacramento-area business owners about cyber thieves.

At a recent event co-sponsored by the small-business advocacy organization and the credit card giant, small-business owners were urged to be proactive to ensure they don't fall victim to the growing problem of hackers that nab customers' financial data that's stored, in some cases unknowingly, by businesses.

"If you don't take steps to protect your business, you will be a victim," said Brian Korbs, a senior special agent with the U.S. Secret Service and a member of the Sacramento Valley Hi-Tech Crimes Task Force.

As large merchants have tightened data security practices, fraud has migrated to smaller businesses, officials said. NFIB and Visa are working together to try to strengthen security among small businesses, or those that process fewer than 1 million credit card transactions per year.

Fifteen years ago, identity thieves were scavenging through Dumpsters for sensitive information such as Social Security numbers and manufacturing counterfeit credit cards using card embossing machines. Today, hackers more commonly gather sensitive data by exploiting software vulnerabilities, and embossing machines are something of a "relic," Korbs said.

Equal opportunity hackers

While fewer than 5 percent of potentially exposed credit card accounts are stolen from small businesses, more than 80 percent of all identified breach incidents since Jan. 1, 2005 occurred at small businesses, according to Visa.

Sixty-one percent of small businesses have never sought out information about how to properly handle and store customer information, according to a recent survey commissioned by NFIB and Visa. Thirty-nine percent of small businesses say they rely on common sense to keep data safe, according to the survey.

Small businesses recognize how important data security is, but few of them have processes in place to protect their customers and employees, or have knowledge about the data they store, Kabateck said.

"The sense that I get from a lot of small merchants is they really don't know why anyone would target them," said Jennifer Fischer, a director with Visa USA who is responsible for the company's cardholder information security program. "The unfortunate thing is hackers don't discriminate."

Hackers take advantage of vulnerabilities in a merchant's payment application. There are two common weaknesses they most often exploit, Fischer said.

First, some merchants enable remote access to a Web-based computer system for vendors or employees, but when such a system lacks security features, such as strong passwords, it creates a "huge point of exposure," Fischer said.

Second, some third-party software applications automatically store sensitive cardholder data that's read from the magnetic stripe when a credit card is swiped through a point-of-sale machine.

"Our motto is, don't store it if you don't need it," Fischer said.

It's a violation of Visa rules to store any data except the cardholder's name, account number and the card expiration date.

Visa has a list of software applications that have demonstrated to a qualified security assessor that they handle data properly. The list can be checked at visa.com/cisp. If a product is not on the list, it might still be OK, just not yet validated by the vendor, Fischer said.

She advises small businesses to check with their software vendor or merchant bank to find out if the application they use stores magnetic stripe data. Ideally, the application would capture the cardholder's name, account number and expiration date, if that information is needed, and "destroy," or overwrite, the rest of the data.

Vulnerable applications can be upgraded to a more secure version, with upgrades costing as little as $199, she said.

At the very least, what's at stake is a company's good name and the trust customers place in that business, officials said.

Joseph Finizio, executive director of the Retail Solutions Providers Association, representing vendors and resellers of retail technology, said a security breach can cost tens of thousands of dollars, crippling a small business.

A costly lesson

A breach that lasted more than six months at Spanky's Marshside, a restaurant in Brunswick, Ga., has so far cost Spanky's about $110,000, said Finizio, reached in Charlotte, N.C. The owners found out earlier this year that cyber thieves had been stealing customer data from their point-of-sale system.

When a breach occurs, the credit card company -- be it MasterCard, Discover Card or Visa -- fines the acquiring bank about $40 per card, Finizio said. If 1,000 card numbers are stolen, that's $40,000 in fines the bank passes on to the merchant. Banks also may withhold the money the merchant is owed from those credit card transactions.

The merchant may fight back, but either way, "it creates a mess," Finizio said.

The acquiring bank also can bring in a forensic auditor to evaluate the merchant's system in order to discover how a breach occurred. That cost starts at $10,000, he said.

Griselda Barajas-Keolanui, chairwoman of the Sacramento Hispanic Chamber of Commerce and owner of Griselda's Catering and Tex-Mex at the state Capitol in Sacramento, recalled a lesson she learned in the 1990s when her father's convenience store was broken into on Franklin Boulevard -- twice.

The second time burglars shuffled through papers. The family bought a safe in which to lock important papers, and shredded papers they didn't need.

Today, Barajas-Keolanui said she has an outside information technology expert run quarterly tests on her computer systems to make sure they remain protected. The service costs $2,000 a year, but she said it's worth it to protect her customers.

"When someone gives you that kind of trust, it's very significant," she said.